600 lines
28 KiB
Plaintext
600 lines
28 KiB
Plaintext
---
|
|
description: |
|
|
The amazon-ebssurrogate Packer builder is like the chroot builder, but does not
|
|
require running inside an EC2 instance.
|
|
layout: docs
|
|
page_title: 'Amazon EBS Surrogate - Builders'
|
|
sidebar_current: 'docs-builders-amazon-ebssurrogate'
|
|
---
|
|
|
|
# EBS Surrogate Builder
|
|
|
|
Type: `amazon-ebssurrogate`
|
|
|
|
The `amazon-ebssurrogate` Packer builder is able to create Amazon AMIs by
|
|
running a source instance with an attached volume, provisioning the attached
|
|
volume in such a way that it can be used as the root volume for the AMI, and
|
|
then snapshotting and creating the AMI from that volume.
|
|
|
|
This builder can therefore be used to bootstrap scratch-build images - for
|
|
example FreeBSD or Ubuntu using ZFS as the root file system.
|
|
|
|
This is all done in your own AWS account. This builder will create temporary
|
|
key pairs, security group rules, etc., that provide it temporary access to the
|
|
instance while the image is being created.
|
|
|
|
## Configuration Reference
|
|
|
|
There are many configuration options available for this builder. They are
|
|
segmented below into two categories: required and optional parameters. Within
|
|
each category, the available configuration keys are alphabetized.
|
|
|
|
In addition to the options listed here, a
|
|
[communicator](/docs/templates/communicator.html) can be configured for this
|
|
builder.
|
|
|
|
### Required:
|
|
|
|
- `access_key` (string) - The access key used to communicate with AWS. [Learn
|
|
how to set this](/docs/builders/amazon.html#specifying-amazon-credentials)
|
|
|
|
- `ami_name` (string) - The name of the resulting AMI that will appear when
|
|
managing AMIs in the AWS console or via APIs. This must be unique. To help
|
|
make this unique, use a function like `timestamp` (see [template
|
|
engine](../templates/engine.html) for more info).
|
|
|
|
- `instance_type` (string) - The EC2 instance type to use while building the
|
|
AMI, such as `m1.small`.
|
|
|
|
- `region` (string) - The name of the region, such as `us-east-1`, in which
|
|
to launch the EC2 instance to create the AMI.
|
|
|
|
- `secret_key` (string) - The secret key used to communicate with AWS. [Learn
|
|
how to set this](/docs/builders/amazon.html#specifying-amazon-credentials)
|
|
|
|
- `source_ami` (string) - The initial AMI used as a base for the newly
|
|
created machine. `source_ami_filter` may be used instead to populate this
|
|
automatically.
|
|
|
|
- `ami_root_device` (block device mapping) - A block device mapping
|
|
describing the root device of the AMI. This looks like the mappings in
|
|
`ami_block_device_mapping`, except with an additional field:
|
|
|
|
- `source_device_name` (string) - The device name of the block device on
|
|
the source instance to be used as the root device for the AMI. This
|
|
must correspond to a block device in `launch_block_device_mapping`.
|
|
|
|
### Optional:
|
|
|
|
- `ami_architecture` (string) - what architecture to use when registering the
|
|
final AMI; valid options are "x86_64" or "arm64". Defaults to "x86_64".
|
|
|
|
- `ami_block_device_mappings` (array of block device mappings) - Add one or
|
|
more [block device
|
|
mappings](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html)
|
|
to the AMI. These will be attached when booting a new instance from your
|
|
AMI. To add a block device during the packer build see
|
|
`launch_block_device_mappings` below. Your options here may vary depending
|
|
on the type of VM you use. The block device mappings allow for the
|
|
following configuration:
|
|
|
|
<%= partial "partials/builders/aws-common-block-device-a-i" %>
|
|
|
|
<%= partial "partials/builders/aws-common-block-device-i-v" %>
|
|
|
|
- `ami_description` (string) - The description to set for the resulting
|
|
AMI(s). By default this description is empty. This is a [template
|
|
engine](/docs/templates/engine.html), see [Build template
|
|
data](#build-template-data) for more information.
|
|
|
|
- `ami_groups` (array of strings) - A list of groups that have access to
|
|
launch the resulting AMI(s). By default no groups have permission to launch
|
|
the AMI. `all` will make the AMI publicly accessible. AWS currently doesn't
|
|
accept any value other than `all`.
|
|
|
|
- `ami_product_codes` (array of strings) - A list of product codes to
|
|
associate with the AMI. By default no product codes are associated with the
|
|
AMI.
|
|
|
|
- `ami_regions` (array of strings) - A list of regions to copy the AMI to.
|
|
Tags and attributes are copied along with the AMI. AMI copying takes time
|
|
depending on the size of the AMI, but will generally take many minutes.
|
|
|
|
- `ami_users` (array of strings) - A list of account IDs that have access to
|
|
launch the resulting AMI(s). By default no additional users other than the
|
|
user creating the AMI has permissions to launch it.
|
|
|
|
- `ami_virtualization_type` (string) - The type of virtualization for the AMI
|
|
you are building. This option must match the supported virtualization type
|
|
of `source_ami`. Can be `paravirtual` or `hvm`.
|
|
|
|
- `associate_public_ip_address` (boolean) - If using a non-default VPC,
|
|
public IP addresses are not provided by default. If this is `true`, your
|
|
new instance will get a Public IP. default: `false`
|
|
|
|
- `availability_zone` (string) - Destination availability zone to launch
|
|
instance in. Leave this empty to allow Amazon to auto-assign.
|
|
|
|
- `block_duration_minutes` (int64) - Requires `spot_price` to be set. The
|
|
required duration for the Spot Instances (also known as Spot blocks). This
|
|
value must be a multiple of 60 (60, 120, 180, 240, 300, or 360). You can't
|
|
specify an Availability Zone group or a launch group if you specify a
|
|
duration.
|
|
|
|
- `custom_endpoint_ec2` (string) - This option is useful if you use a cloud
|
|
provider whose API is compatible with aws EC2. Specify another endpoint
|
|
like this `https://ec2.custom.endpoint.com`.
|
|
|
|
- `decode_authorization_messages` (boolean) - Enable automatic decoding of
|
|
any encoded authorization (error) messages using the
|
|
`sts:DecodeAuthorizationMessage` API. Note: requires that the effective
|
|
user/role have permissions to `sts:DecodeAuthorizationMessage` on resource
|
|
`*`. Default `false`.
|
|
|
|
- `disable_stop_instance` (boolean) - Packer normally stops the build
|
|
instance after all provisioners have run. For Windows instances, it is
|
|
sometimes desirable to [run
|
|
Sysprep](http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ami-create-standard.html)
|
|
which will stop the instance for you. If this is set to true, Packer *will
|
|
not* stop the instance but will assume that you will send the stop signal
|
|
yourself through your final provisioner. You can do this with a
|
|
[windows-shell
|
|
provisioner](https://www.packer.io/docs/provisioners/windows-shell.html).
|
|
|
|
Note that Packer will still wait for the instance to be stopped, and
|
|
failing to send the stop signal yourself, when you have set this flag to
|
|
`true`, will cause a timeout.
|
|
|
|
Example of a valid shutdown command:
|
|
|
|
``` json
|
|
{
|
|
"type": "windows-shell",
|
|
"inline": ["\"c:\\Program Files\\Amazon\\Ec2ConfigService\\ec2config.exe\" -sysprep"]
|
|
}
|
|
```
|
|
|
|
- `ebs_optimized` (boolean) - Mark instance as [EBS
|
|
Optimized](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSOptimized.html).
|
|
Default `false`.
|
|
|
|
- `ena_support` (boolean) - Enable enhanced networking (ENA but not
|
|
SriovNetSupport) on HVM-compatible AMIs. If set, add
|
|
`ec2:ModifyInstanceAttribute` to your AWS IAM policy. If false, this will
|
|
disable enhanced networking in the final AMI as opposed to passing the
|
|
setting through unchanged from the source. Note: you must make sure
|
|
enhanced networking is enabled on your instance. See [Amazon's
|
|
documentation on enabling enhanced
|
|
networking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html#enabling_enhanced_networking).
|
|
|
|
- `enable_t2_unlimited` (boolean) - Enabling T2 Unlimited allows the source
|
|
instance to burst additional CPU beyond its available [CPU
|
|
Credits](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/t2-credits-baseline-concepts.html)
|
|
for as long as the demand exists. This is in contrast to the standard
|
|
configuration that only allows an instance to consume up to its available
|
|
CPU Credits. See the AWS documentation for [T2
|
|
Unlimited](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/t2-unlimited.html)
|
|
and the **T2 Unlimited Pricing** section of the [Amazon EC2 On-Demand
|
|
Pricing](https://aws.amazon.com/ec2/pricing/on-demand/) document for more
|
|
information. By default this option is disabled and Packer will set up a
|
|
[T2
|
|
Standard](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/t2-std.html)
|
|
instance instead.
|
|
|
|
To use T2 Unlimited you must use a T2 instance type, e.g. `t2.micro`.
|
|
Additionally, T2 Unlimited cannot be used in conjunction with Spot
|
|
Instances, e.g. when the `spot_price` option has been configured.
|
|
Attempting to do so will cause an error.
|
|
|
|
!> **Warning!** Additional costs may be incurred by enabling T2
|
|
Unlimited - even for instances that would usually qualify for the [AWS Free
|
|
Tier](https://aws.amazon.com/free/).
|
|
|
|
- `encrypt_boot` (boolean) - Whether or not to encrypt the resulting AMI when
|
|
copying a provisioned instance to an AMI. By default, Packer will keep the
|
|
encryption setting to what it was in the source image. Setting `false` will
|
|
result in an unencrypted image, and `true` will result in an encrypted one.
|
|
|
|
- `force_deregister` (boolean) - Force Packer to first deregister an existing
|
|
AMI if one with the same name already exists. Default `false`.
|
|
|
|
- `force_delete_snapshot` (boolean) - Force Packer to delete snapshots
|
|
associated with AMIs, which have been deregistered by `force_deregister`.
|
|
Default `false`.
|
|
|
|
<%= partial "partials/builders/aws-common-opional-fields" %>
|
|
|
|
- `iam_instance_profile` (string) - The name of an [IAM instance
|
|
profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/instance-profiles.html)
|
|
to launch the EC2 instance with.
|
|
|
|
- `insecure_skip_tls_verify` (boolean) - This allows skipping TLS
|
|
verification of the AWS EC2 endpoint. The default is `false`.
|
|
|
|
- `launch_block_device_mappings` (array of block device mappings) - Add one
|
|
or more block devices before the Packer build starts. If you add instance
|
|
store volumes or EBS volumes in addition to the root device volume, the
|
|
created AMI will contain block device mapping information for those
|
|
volumes. Amazon creates snapshots of the source instance's root volume and
|
|
any other EBS volumes described here. When you launch an instance from this
|
|
new AMI, the instance automatically launches with these additional volumes,
|
|
and will restore them from snapshots taken from the source instance.
|
|
|
|
In addition to the fields available in ami_block_device_mappings, you may
|
|
optionally use the following field:
|
|
- `omit_from_artifact` (boolean) - If true, this block device will not
|
|
be snapshotted and the created AMI will not contain block device mapping
|
|
information for this volume. If false, the block device will be mapped
|
|
into the final created AMI. Set this option to true if you need a block
|
|
device mounted in the surrogate AMI but not in the final created AMI.
|
|
|
|
- `mfa_code` (string) - The MFA
|
|
[TOTP](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm)
|
|
code. This should probably be a user variable since it changes all the
|
|
time.
|
|
|
|
- `profile` (string) - The profile to use in the shared credentials file for
|
|
AWS. See Amazon's documentation on [specifying
|
|
profiles](https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-profiles)
|
|
for more details.
|
|
|
|
- `region_kms_key_ids` (map of strings) - a map of regions to copy the ami
|
|
to, along with the custom kms key id (alias or arn) to use for encryption
|
|
for that region. Keys must match the regions provided in `ami_regions`. If
|
|
you just want to encrypt using a default ID, you can stick with
|
|
`kms_key_id` and `ami_regions`. If you want a region to be encrypted with
|
|
that region's default key ID, you can use an empty string `""` instead of a
|
|
key id in this map. (e.g. `"us-east-1": ""`) However, you cannot use
|
|
default key IDs if you are using this in conjunction with `snapshot_users`
|
|
-- in that situation you must use custom keys. For valid formats see
|
|
*KmsKeyId* in the [AWS API docs -
|
|
CopyImage](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CopyImage.html).
|
|
|
|
This option supercedes the `kms_key_id` option -- if you set both, and they
|
|
are different, Packer will respect the value in `region_kms_key_ids` for
|
|
your build region and silently disregard the value provided in `kms_key_id`.
|
|
|
|
- `run_tags` (object of key/value strings) - Tags to apply to the instance
|
|
that is *launched* to create the AMI. These tags are *not* applied to the
|
|
resulting AMI unless they're duplicated in `tags`. This is a [template
|
|
engine](/docs/templates/engine.html), see [Build template
|
|
data](#build-template-data) for more information.
|
|
|
|
- `run_volume_tags` (object of key/value strings) - Tags to apply to the
|
|
volumes that are *launched* to create the AMI. These tags are *not* applied
|
|
to the resulting AMI unless they're duplicated in `tags`. This is a
|
|
[template engine](/docs/templates/engine.html), see [Build template
|
|
data](#build-template-data) for more information.
|
|
|
|
- `security_group_id` (string) - The ID (*not* the name) of the security
|
|
group to assign to the instance. By default this is not set and Packer will
|
|
automatically create a new temporary security group to allow SSH access.
|
|
Note that if this is specified, you must be sure the security group allows
|
|
access to the `ssh_port` given below.
|
|
|
|
- `security_group_ids` (array of strings) - A list of security groups as
|
|
described above. Note that if this is specified, you must omit the
|
|
`security_group_id`.
|
|
|
|
- `security_group_filter` (object) - Filters used to populate the
|
|
`security_group_ids` field. Example:
|
|
|
|
``` json
|
|
{
|
|
"security_group_filter": {
|
|
"filters": {
|
|
"tag:Class": "packer"
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
This selects the SG's with tag `Class` with the value `packer`.
|
|
|
|
- `filters` (map of strings) - filters used to select a
|
|
`security_group_ids`. Any filter described in the docs for
|
|
[DescribeSecurityGroups](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html)
|
|
is valid.
|
|
|
|
`security_group_ids` take precedence over this.
|
|
|
|
- `shutdown_behavior` (string) - Automatically terminate instances on
|
|
shutdown incase packer exits ungracefully. Possible values are "stop" and
|
|
"terminate", default is `stop`.
|
|
|
|
- `skip_region_validation` (boolean) - Set to true if you want to skip
|
|
validation of the region configuration option. Default `false`.
|
|
|
|
- `snapshot_groups` (array of strings) - A list of groups that have access to
|
|
create volumes from the snapshot(s). By default no groups have permission
|
|
to create volumes from the snapshot(s). `all` will make the snapshot
|
|
publicly accessible.
|
|
|
|
- `snapshot_users` (array of strings) - A list of account IDs that have
|
|
access to create volumes from the snapshot(s). By default no additional
|
|
users other than the user creating the AMI has permissions to create
|
|
volumes from the backing snapshot(s).
|
|
|
|
- `snapshot_tags` (object of key/value strings) - Tags to apply to snapshot.
|
|
They will override AMI tags if already applied to snapshot. This is a
|
|
[template engine](/docs/templates/engine.html), see [Build template
|
|
data](#build-template-data) for more information.
|
|
|
|
- `source_ami_filter` (object) - Filters used to populate the `source_ami`
|
|
field. Example:
|
|
|
|
``` json
|
|
{
|
|
"source_ami_filter": {
|
|
"filters": {
|
|
"virtualization-type": "hvm",
|
|
"name": "ubuntu/images/*ubuntu-xenial-16.04-amd64-server-*",
|
|
"root-device-type": "ebs"
|
|
},
|
|
"owners": ["099720109477"],
|
|
"most_recent": true
|
|
}
|
|
}
|
|
```
|
|
|
|
This selects the most recent Ubuntu 16.04 HVM EBS AMI from Canonical. NOTE:
|
|
This will fail unless *exactly* one AMI is returned. In the above example,
|
|
`most_recent` will cause this to succeed by selecting the newest image.
|
|
|
|
- `filters` (map of strings) - filters used to select a `source_ami`.
|
|
NOTE: This will fail unless *exactly* one AMI is returned. Any filter
|
|
described in the docs for
|
|
[DescribeImages](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeImages.html)
|
|
is valid.
|
|
|
|
- `owners` (array of strings) - Filters the images by their owner. You
|
|
may specify one or more AWS account IDs, `self` (which will use the
|
|
account whose credentials you are using to run Packer), or an AWS owner
|
|
alias: for example, `amazon`, `aws-marketplace`, or `microsoft`. This
|
|
option is required for security reasons.
|
|
|
|
- `most_recent` (boolean) - Selects the newest created image when true.
|
|
This is most useful for selecting a daily distro build.
|
|
|
|
You may set this in place of `source_ami` or in conjunction with it. If you
|
|
set this in conjunction with `source_ami`, the `source_ami` will be added
|
|
to the filter. The provided `source_ami` must meet all of the filtering
|
|
criteria provided in `source_ami_filter`; this pins the AMI returned by the
|
|
filter, but will cause Packer to fail if the `source_ami` does not exist.
|
|
|
|
<%= partial "partials/builders/aws-spot-docs" %>
|
|
|
|
- `sriov_support` (boolean) - Enable enhanced networking (SriovNetSupport but
|
|
not ENA) on HVM-compatible AMIs. If true, add `ec2:ModifyInstanceAttribute`
|
|
to your AWS IAM policy. Note: you must make sure enhanced networking is
|
|
enabled on your instance. See [Amazon's documentation on enabling enhanced
|
|
networking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html#enabling_enhanced_networking).
|
|
Default `false`.
|
|
|
|
- `ssh_keypair_name` (string) - If specified, this is the key that will be
|
|
used for SSH with the machine. The key must match a key pair name loaded up
|
|
into Amazon EC2. By default, this is blank, and Packer will generate a
|
|
temporary keypair unless
|
|
[`ssh_password`](/docs/templates/communicator.html#ssh_password) is used.
|
|
[`ssh_private_key_file`](/docs/templates/communicator.html#ssh_private_key_file)
|
|
or `ssh_agent_auth` must be specified when `ssh_keypair_name` is utilized.
|
|
|
|
- `ssh_agent_auth` (boolean) - If true, the local SSH agent will be used to
|
|
authenticate connections to the source instance. No temporary keypair will
|
|
be created, and the values of `ssh_password` and `ssh_private_key_file`
|
|
will be ignored. To use this option with a key pair already configured in
|
|
the source AMI, leave the `ssh_keypair_name` blank. To associate an
|
|
existing key pair in AWS with the source instance, set the
|
|
`ssh_keypair_name` field to the name of the key pair.
|
|
|
|
- `ssh_private_ip` (boolean) - No longer supported. See
|
|
[`ssh_interface`](#ssh_interface). A fixer exists to migrate.
|
|
|
|
- `ssh_interface` (string) - One of `public_ip`, `private_ip`, `public_dns`
|
|
or `private_dns`. If set, either the public IP address, private IP address,
|
|
public DNS name or private DNS name will used as the host for SSH. The
|
|
default behaviour if inside a VPC is to use the public IP address if
|
|
available, otherwise the private IP address will be used. If not in a VPC
|
|
the public DNS name will be used. Also works for WinRM.
|
|
|
|
Where Packer is configured for an outbound proxy but WinRM traffic should
|
|
be direct, `ssh_interface` must be set to `private_dns` and
|
|
`<region>.compute.internal` included in the `NO_PROXY` environment
|
|
variable.
|
|
|
|
- `subnet_id` (string) - If using VPC, the ID of the subnet, such as
|
|
`subnet-12345def`, where Packer will launch the EC2 instance. This field is
|
|
required if you are using an non-default VPC.
|
|
|
|
- `subnet_filter` (object) - Filters used to populate the `subnet_id` field.
|
|
Example:
|
|
|
|
``` json
|
|
{
|
|
"subnet_filter": {
|
|
"filters": {
|
|
"tag:Class": "build"
|
|
},
|
|
"most_free": true,
|
|
"random": false
|
|
}
|
|
}
|
|
```
|
|
|
|
This selects the Subnet with tag `Class` with the value `build`, which has
|
|
the most free IP addresses. NOTE: This will fail unless *exactly* one
|
|
Subnet is returned. By using `most_free` or `random` one will be selected
|
|
from those matching the filter.
|
|
|
|
- `filters` (map of strings) - filters used to select a `subnet_id`.
|
|
NOTE: This will fail unless *exactly* one Subnet is returned. Any
|
|
filter described in the docs for
|
|
[DescribeSubnets](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSubnets.html)
|
|
is valid.
|
|
|
|
- `most_free` (boolean) - The Subnet with the most free IPv4 addresses
|
|
will be used if multiple Subnets matches the filter.
|
|
|
|
- `random` (boolean) - A random Subnet will be used if multiple Subnets
|
|
matches the filter. `most_free` have precendence over this.
|
|
|
|
`subnet_id` take precedence over this.
|
|
|
|
- `tags` (object of key/value strings) - Tags applied to the AMI and relevant
|
|
snapshots. This is a [template engine](/docs/templates/engine.html), see
|
|
[Build template data](#build-template-data) for more information.
|
|
|
|
- `temporary_key_pair_name` (string) - The name of the temporary keypair to
|
|
generate. By default, Packer generates a name with a UUID.
|
|
|
|
- `temporary_security_group_source_cidrs` (list of string) - A list of IPv4
|
|
CIDR blocks to be authorized access to the instance, when packer is creating a temporary security group.
|
|
|
|
The default is [`0.0.0.0/0`] (i.e., allow any IPv4 source). This is only used when `security_group_id` or `security_group_ids` is not specified.
|
|
|
|
- `token` (string) - The access token to use. This is different from the
|
|
access key and secret key. If you're not sure what this is, then you
|
|
probably don't need it. This will also be read from the `AWS_SESSION_TOKEN`
|
|
environmental variable.
|
|
|
|
- `user_data` (string) - User data to apply when launching the instance. Note
|
|
that you need to be careful about escaping characters due to the templates
|
|
being JSON. It is often more convenient to use `user_data_file`, instead.
|
|
Packer will not automatically wait for a user script to finish before
|
|
shutting down the instance this must be handled in a provisioner.
|
|
|
|
- `user_data_file` (string) - Path to a file that will be used for the user
|
|
data when launching the instance.
|
|
|
|
- `vault_aws_engine` (object) - Get credentials from Hashicorp Vault's aws
|
|
secrets engine. You must already have created a role to use. For more
|
|
information about generating credentials via the Vault engine, see the
|
|
[Vault
|
|
docs.](https://www.vaultproject.io/api/secret/aws/index.html#generate-credentials)
|
|
If you set this flag, you must also set the below options:
|
|
- `name` (string) - Required. Specifies the name of the role to generate
|
|
credentials against. This is part of the request URL.
|
|
- `engine_name` (string) - The name of the aws secrets engine. In the Vault
|
|
docs, this is normally referred to as "aws", and Packer will default to
|
|
"aws" if `engine_name` is not set.
|
|
- `role_arn` (string)- The ARN of the role to assume if credential\_type on
|
|
the Vault role is assumed\_role. Must match one of the allowed role ARNs in
|
|
the Vault role. Optional if the Vault role only allows a single AWS role
|
|
ARN; required otherwise.
|
|
- `ttl` (string) - Specifies the TTL for the use of the STS token. This is
|
|
specified as a string with a duration suffix. Valid only when
|
|
credential\_type is assumed\_role or federation\_token. When not specified,
|
|
the default\_sts\_ttl set for the role will be used. If that is also not
|
|
set, then the default value of 3600s will be used. AWS places limits on the
|
|
maximum TTL allowed. See the AWS documentation on the DurationSeconds
|
|
parameter for AssumeRole (for assumed\_role credential types) and
|
|
GetFederationToken (for federation\_token credential types) for more
|
|
details.
|
|
|
|
Example:
|
|
`json { "vault_aws_engine": { "name": "myrole", "role_arn": "myarn", "ttl": "3600s" } }`
|
|
- `vpc_id` (string) - If launching into a VPC subnet, Packer needs the VPC ID
|
|
in order to create a temporary security group within the VPC. Requires
|
|
`subnet_id` to be set. If this field is left blank, Packer will try to get
|
|
the VPC ID from the `subnet_id`.
|
|
|
|
- `vpc_filter` (object) - Filters used to populate the `vpc_id` field.
|
|
Example:
|
|
|
|
``` json
|
|
{
|
|
"vpc_filter": {
|
|
"filters": {
|
|
"tag:Class": "build",
|
|
"isDefault": "false",
|
|
"cidr": "/24"
|
|
}
|
|
}
|
|
}
|
|
```
|
|
|
|
This selects the VPC with tag `Class` with the value `build`, which is not
|
|
the default VPC, and have a IPv4 CIDR block of `/24`. NOTE: This will fail
|
|
unless *exactly* one VPC is returned.
|
|
|
|
- `filters` (map of strings) - filters used to select a `vpc_id`. NOTE:
|
|
This will fail unless *exactly* one VPC is returned. Any filter
|
|
described in the docs for
|
|
[DescribeVpcs](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVpcs.html)
|
|
is valid.
|
|
|
|
`vpc_id` take precedence over this.
|
|
|
|
- `windows_password_timeout` (string) - The timeout for waiting for a Windows
|
|
password for Windows instances. Defaults to 20 minutes. Example value:
|
|
`10m`
|
|
|
|
## Basic Example
|
|
|
|
``` json
|
|
{
|
|
"type" : "amazon-ebssurrogate",
|
|
"secret_key" : "YOUR SECRET KEY HERE",
|
|
"access_key" : "YOUR KEY HERE",
|
|
"region" : "us-east-1",
|
|
"ssh_username" : "ubuntu",
|
|
"instance_type" : "t2.medium",
|
|
"source_ami" : "ami-40d28157",
|
|
"launch_block_device_mappings" : [
|
|
{
|
|
"volume_type" : "gp2",
|
|
"device_name" : "/dev/xvdf",
|
|
"delete_on_termination" : false,
|
|
"volume_size" : 10
|
|
}
|
|
],
|
|
"ami_root_device": {
|
|
"source_device_name": "/dev/xvdf",
|
|
"device_name": "/dev/xvda",
|
|
"delete_on_termination": true,
|
|
"volume_size": 16,
|
|
"volume_type": "gp2"
|
|
}
|
|
}
|
|
```
|
|
|
|
-> **Note:** Packer can also read the access key and secret access key from
|
|
environmental variables. See the configuration reference in the section above
|
|
for more information on what environmental variables Packer will look for.
|
|
|
|
Further information on locating AMI IDs and their relationship to instance
|
|
types and regions can be found in the AWS EC2 Documentation [for
|
|
Linux](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/finding-an-ami.html)
|
|
or [for
|
|
Windows](http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/finding-an-ami.html).
|
|
|
|
## Accessing the Instance to Debug
|
|
|
|
If you need to access the instance to debug for some reason, run this builder
|
|
with the `-debug` flag. In debug mode, the Amazon builder will save the private
|
|
key in the current directory and will output the DNS or IP information as well.
|
|
You can use this information to access the instance as it is running.
|
|
|
|
## Build template data
|
|
|
|
In configuration directives marked as a template engine above, the following
|
|
variables are available:
|
|
|
|
- `BuildRegion` - The region (for example `eu-central-1`) where Packer is
|
|
building the AMI.
|
|
- `SourceAMI` - The source AMI ID (for example `ami-a2412fcd`) used to build
|
|
the AMI.
|
|
- `SourceAMIName` - The source AMI Name (for example
|
|
`ubuntu/images/ebs-ssd/ubuntu-xenial-16.04-amd64-server-20180306`) used to
|
|
build the AMI.
|
|
- `SourceAMITags` - The source AMI Tags, as a `map[string]string` object.
|
|
|
|
-> **Note:** Packer uses pre-built AMIs as the source for building images.
|
|
These source AMIs may include volumes that are not flagged to be destroyed on
|
|
termination of the instance building the new image. In addition to those
|
|
volumes created by this builder, any volumes inn the source AMI which are not
|
|
marked for deletion on termination will remain in your account.
|
|
|
|
|
|
<%= partial "partials/builders/aws-ssh-differentiation-table" %>
|